formbook

General

Target

d539659a09b05e566ef841b6fcd758915b5a2162fd666d35d37ee06687becc8a.exe
Size

231KB
Sample

221201-ry9hqacb91
MD5

20c94036d44ddfcf433855a660f611d7
SHA1

828ed3f1d14d1b67b7c09fb8a34bacf039ac7842
SHA256

d539659a09b05e566ef841b6fcd758915b5a2162fd666d35d37ee06687becc8a
SHA512

08f7855cb08ad83e1eade9d062878164eea9f3d6ff5b887be8a2fd21cedca99929f87b307596381e3683cd8c0a5d3920f8a1eed5cf6717913e74def4c130d273
SSDEEP

6144:MEa0Nn79rkzbkn6Qfu9+BdHGAdkEWHk76huXLjGQs4b:X79rkzInvugvkvk76kXLjGgb

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

fqsu

Decoy

GhfTqaOqC4FsyoQRW/8=

kbPIpd/8k1C6zJz5mYYdK90ZUA==

VIdg/CoNGeYJHA==

KhzoqndOhw1j43z0ew==

wv8mTDcsX2wJN/Q=

MqBgt6S+3BgGKBQHLZy7Ucg=

GyhOb++nZDi39NPK7dbaKapf

pBtD1UoSTdo3eSp9H7OhRqMV0TAuKMU=

WTzTg1w+fP4fMO0oPPM=

NS/tpGdUwkiMwqmgkxoSzjrQATAuKMU=

MnoSdM1hYn4tdwxjB2fX

3EUfH2EJY17mMf4=

V9/wg2yCQruVszm7V+4=

aNL8pZCGYW4Ej2LD

1Bif9VkmdgVfrJqRvl1GtlTZq1M=

9wHIgmB8EOB2uUVcUfk=

1Fdn15qem+fL1qhrY9xdQmAnVg==

Y32ThttYUUr6PsuRmozlNP74RD+uBz7dOQ==

f5HKyoWNAJLM2qjnZlizsvXDKFs=

mRfaGezap6ZyvJqthZvf

Extracted

Family

xloader

Version

3.8

Campaign

fqsu

Decoy

GhfTqaOqC4FsyoQRW/8=

kbPIpd/8k1C6zJz5mYYdK90ZUA==

VIdg/CoNGeYJHA==

KhzoqndOhw1j43z0ew==

wv8mTDcsX2wJN/Q=

MqBgt6S+3BgGKBQHLZy7Ucg=

GyhOb++nZDi39NPK7dbaKapf

pBtD1UoSTdo3eSp9H7OhRqMV0TAuKMU=

WTzTg1w+fP4fMO0oPPM=

NS/tpGdUwkiMwqmgkxoSzjrQATAuKMU=

MnoSdM1hYn4tdwxjB2fX

3EUfH2EJY17mMf4=

V9/wg2yCQruVszm7V+4=

aNL8pZCGYW4Ej2LD

1Bif9VkmdgVfrJqRvl1GtlTZq1M=

9wHIgmB8EOB2uUVcUfk=

1Fdn15qem+fL1qhrY9xdQmAnVg==

Y32ThttYUUr6PsuRmozlNP74RD+uBz7dOQ==

f5HKyoWNAJLM2qjnZlizsvXDKFs=

mRfaGezap6ZyvJqthZvf

Targets

- Target
  
  d539659a09b05e566ef841b6fcd758915b5a2162fd666d35d37ee06687becc8a.exe
- Size
  
  231KB
- MD5
  
  20c94036d44ddfcf433855a660f611d7
- SHA1
  
  828ed3f1d14d1b67b7c09fb8a34bacf039ac7842
- SHA256
  
  d539659a09b05e566ef841b6fcd758915b5a2162fd666d35d37ee06687becc8a
- SHA512
  
  08f7855cb08ad83e1eade9d062878164eea9f3d6ff5b887be8a2fd21cedca99929f87b307596381e3683cd8c0a5d3920f8a1eed5cf6717913e74def4c130d273
- SSDEEP
  
  6144:MEa0Nn79rkzbkn6Qfu9+BdHGAdkEWHk76huXLjGQs4b:X79rkzInvugvkvk76kXLjGgb
Score

10^/10

formbook xloader fqsu loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2